validate_url: only allow safe ports (80, 443), disallow access to loopback

2020-09-15 10:39:09 +03:00 · 2020-09-15 10:39:09 +03:00 · aa89ea7769
parent 6c02fea641
commit aa89ea7769
1 changed files with 6 additions and 3 deletions
--- a/include/functions.php
+++ b/include/functions.php
@ -1941,9 +1941,15 @@
 		if (!$tokens['host'])
 			return false;

+		if (!in_array($tokens['port'], [80, 443, '']))
+			return false;
+
 		if (!in_array($tokens['scheme'], ['http', 'https']))
 			return false;

+		if ($tokens['host'] == 'localhost' || $tokens['host'] == '::1' || strpos($tokens['host'], '127.') === 0)
+			return false;
+
 		//convert IDNA hostname to punycode if possible
 		if (function_exists("idn_to_ascii")) {
 			if (mb_detect_encoding($tokens['host']) != 'ASCII') {
@ -1952,8 +1958,5 @@
 			}
 		}

-		/* if ($tokens['host'] == 'localhost' || $tokens['host'] == '127.0.0.1')
-			return false; */
-
 		return $url;
 	}